Sunday, May 25, 2014

May 25th: Embrace your Inner Geek: Celebrate Geek Pride day

If you're reading this, odds are every dayis Geek Pride day for you.

Geek Pride Day (Spanish: Día del orgullo friki ) is an initiative to promote geek culture, celebrated annually on 25 May. The date was chosen as to commemorate the 1977 release of Star Wars (see Star Wars Day), but shares the same date as two other similar fan "holidays": Towel Day, for fans of The Hitchhiker's Guide to the Galaxy trilogy by Douglas Adams, and the Glorious 25th of May for fans of Terry Pratchett's Discworld.[1] Wikipedia

The initiative originated in Spain in 2006 as "Día del Orgullo Friki" and spread around the world via the Internet.

However, when you factor in Risk as part of this; Cost, Schedule and Scope (or Budget); you need to use a new paradigm, (and graph!).

Instead of just thinking about project risk in terms of cost overrun, or delays, consider what happens when you build insecurity vs building in security. By building in security you reduce the known unknowns of your information security risk footprint.

Let’s go back to project management 101: It costs you $1 to design it in, $10 to build it in later, $100 to fix it before it goes into production, and $1000 if you need to fix it once it has been turned over to operations.

For Information Security and Privacy issues, you not only have to account for the lost time (risk, poor quality, budget overruns, resources and scheduling problems), but you also have to look at regulatory and financial issues due to litigation. Your quality issues don’t just put users and customers off a little, you could lose them for life. Security Project Management 101 goes like this:

Ask your stakeholders: Do you want to budget $1 extra to design in security, or risk $5.4 million if things go really bad?

One User, Employee, or Vendor

One Character, one user one employee, or vendor who has access to your network can bring it down. The next character that can cause you a problem would be an insider; someone who has internal, privileged access to your network.

Yes, that character. You know who that is and wish you could do something about it. An insider with unnecessary access and a weak password helped bring a huge data breach at Target that could end up costing them $20Billion Dollars. Yes, Billion. That comes after Million, and just before Trillion. Not quite national debt numbers, but this number won’t play well during the next stockholders meeting.

What else can I do? What about that ‘one character’? Security Awareness Training, and not just a 30 minute computer based flyby of last year’s ghosts and goblins of data security, but a comprehensive, customized training program that will enroll that ‘one character’ as an ally. Not just for ‘the little people’, but for executives.

Instead of causing problems, that problem character (or characters) will understand their part in keeping the company safe and secure, especially if the executives lead the way by example.

One Byte

Insecurity vs in( )security. One byte. That is all it takes sometimes. During a recent web application assessment for a Fortune 100 company we noticed that one byte was missing. This one byte meant the difference between a reasonably secure user experience and a user experience that exposed massive numbers of users to identity theft, bank fraud, and spam.

What was that one byte? (non geeks can look away now and start humming. Come back in 5 minutes and we can wrap things up). On the company home page the button for the user login function pointed to ‘http://{company.com}/functions/login.asp’. (Do you notice the missing character?). A packet trace of the login function confirmed that the username and password were being sent across the wild world web without using any type of encryption.

The company didn’t need to worry about the HeartBleed bug, this information wasn’t encrypted anyway. Anyone listening would have access to information that should have been encrypted. Depending on how long this bug was in place, this could have possibly affected more than 10 million users just in 2013. Not quite up to Target’s 110 million faux pas, but still a respectable number.

Character of the Boss

The bad news is that you can’t fix everything with just one character, or changing one character, or firing one character. The good news is that the Character of the executive management can have more of a positive effect on the information security culture than all the firewall, audits and scrum masters in the world.

The Character of the Information Security group, CISO or CSO will directly reflect the support given by executive management. This top down approach isn’t just for project management or software programming, it is business 101. “It all comes down from the top”.

Employees who enjoy working for their company and respect their managers are more prone to make less mistakes in general, less mistakes on purpose, less security mistakes, and be less likely to ignore security and privacy policies. Their managers will be less likely to ignore policies and rules if their executive management respects them.

If your executive management does not respect their own security and privacy rules you can be sure that the employees won’t.

One Character at a Time

As you move through life, you will work for good bosses and bad. You will work at companies that have a good security and privacy program and you will work for companies that don’t care. If you are tasked with protecting a company that doesn’t care, there might be nothing you can do about it.

Just do your job, learn your craft and try to keep things in perspective. Ultimately it is only your job to detect the information security risks and inform your management. It is their responsibility to take it seriously. You can help by learning more about your company’s business. Your assumption that the company doesn’t care might just be your lack of understanding of the nature of their business.

Every vulnerability isn’t critical, and nothing is perfectly secure. One character at a time. One byte at a time. That is all that can be expected of anyone. one character can make all the difference. Make that character be you.

About the Author:Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached athttp://www.securityprivateers.com/.

Tuesday, May 6, 2014

Verizon has released the 2014 version of their Data Breach Investigations Report with predictable results: The hackers are winning. Cyber-Espionage, DDoS attacks, Crimeware, Web app attacks and credit card theft are among the attacks that Verizon summarizes with “92% of the 100,000 Incidents we've analyzed from the last 10 years can be described by just nine basic patterns.”

What have we learned from a decade of data breach investigations? The hackers are winning.

Let’s buy toys (tools, IDS/IPS/HIDS/NIDS/NAC) because they will protect us from untrained programmers, bad policies and lack of trained InfoSec professionals. The hackers are winning. Have I said that enough? Obviously not, since the point of every data breach or privacy loss report is that the hackers are winning. Do they have new tools? Are they funded by Wall Street and Startup Funds? Are they better trained or just more motivated?

Toys (tools) are nice, but if your people are well trained, and they care about and have a culture of security and privacy they will be better equipped to catch or prevent a data breach. As an example, the $1.6M worth of tools that Target bought that detected the breach when it first happened and then again when the hackers started to upload the 110 million records to their ‘cloud’ servers. These alerts were ignored.

Did anti-spam and anti-virus products protect RSA who suffered an attack that laid bare their source code? What about the South Carolina Department of Revenue? In both instances the hackers job was easy… Sending in phishing emails. For both RSA and SCDOR it was failed policies and procedures that cost RSA $55M and SCDOR $20M.

The problem is we can’t ‘package’ people. People are not scalable and VCs can’t fund them, and we don’t see billions of dollars in marketing telling companies they need a CISO or CSO. The CEOs, CIOs and CTOs see all the marketing hype about the next silver bullet. (How much in VC funding was announced today for ‘the last security product you will ever need’)?

Trade publications buzz around about a lack of available and qualified information security professionals but the reality is some sectors and industries aren’t ready to trust us(information security professionals). Yes, we have seen a 20% increase in salaries for CISOs nationally, and we read stories about a lack of infosec professionals, but the truth is, the adoption rate is still dismal. (The Hackers are winning!)

Why? Maybe because maybe we (infosec pros) have been crying wolf and asking for toys to do our jobs. We have been lazy. We blame the lack of understanding among the CEO and Board of Directors. I suggest that it is because we don’t understand that the business of business is, well, business. We think our job is to eliminate risks, but it is not. Our job is to ENCOURAGE RISK, responsible risk, measured risk, controlled risk.

We are seen by the CIO and CFO as the adversary, or we see the CIO or CFO as the adversary rather than our business partner. We think our superior knowledge, certifications, ribbons medals (and toys) means we know more about how to protect a company then the CEO who will be called to the carpet when the stock price plunges.

I say show the CFO how you can cut spending on information security and he will be eating out of your hands. Help the CIO increase network capacity while making things more secure and stable and he will light a candle for you and invite you to lunch more often.

If we help our organization deal with risks that are easily fixable and we do it without taking down the whole company in the process or wasting money, we will be trusted to swim in the executive pond; we will be invited to the round table. We will be able to positively affect both the bottom line and lower the risk profile of our company.

On one more note: Mentoring: If you are an experienced information security professional, please use your time and experience to help the up and coming new infosec generation. Give of your time, do presentations at your local ISSA, ISACA, PMI or InfraGard chapters. Not only are you helping with the next generation and the people who will report to you later, but this is good experience for you before you do a presentation before the CIO or CFO.

Maybe next year a new story that reports less data breaches won’t be mistaken for an April Fool’s Day joke, and the hackers won’t be winning.

About the Author:Michael Scheidell (@scheidell) is a Certified CISO, Senior Member IEEE (Computer Society), Corporate Information Risk Management and Privacy Expert, Managing Director of Security Privateers, and works as a consulting CISO for several multinational corporations in government, finance, manufacturing and health care. A recognized expert in the information security and privacy community with a strong history of innovation and entrepreneurship with a US patent on intrusion detection systems, Mr. Scheidell is a frequent conference speaker and subject matter expert in Information Security, Governance Risk, Compliance, and corporate privacy and has worked to secure US critical infrastructure such as Rail, Transportation and Utility companies. Mr. Scheidell can be reached athttp://www.securityprivateers.com .

Monday, May 5, 2014

I get paid to hack into banks, and not just by the bank president, and not just just before he goes on vacation. I also get paid by hospitals, universities, power and transportation companies to test their systems and tell them the most cost effective ways to protect themselves.

The time has come for all good CEO’s to come to the aid of their company. Your CIO is overworked, your users are stressed out wondering if they will be the downfall of their company, and your board of directors is looking at cybersecurity insurance and liability. You and your CIO know you need help but don’t know where to look.

I am available on a Contract, Retained or Interim position for a dynamic organization that is looking to hire or retain a Chief Information Security Officer and wants someone with a track record of reducing IT risk while contributing to the bottom line.

I am a certified CISO, Senior Member of IEEE – Computer Society and have over 15 years experience working for or with the CEO, CIO and Board of directors of many multi-national organizations helping them build their internal information security team.

One (little) breach of 110,000,000 records at Target and the both CIO and CEO have resigned. The board of directors took action against a CEO, president and Chairman of the Board who gave 35 years of his life to the company, but failed to see the coming tsunami. Hind sight is always 20/20. "Today we are announcing that, after extensive discussions, the board and Gregg Steinhafel have decided that now is the right time for new leadership at Target," a company statement posted on its website Monday morning http://pressroom.target.com/news/statement-from-targets-board-of-directors

Banks drop Target breach lawsuit amid Trustwave liability questions

Two banks have suddenly dropped what was expected to be a precedent-setting lawsuit related to the massive data breach at Target Corp., perhaps temporarily sparing the retailer's audit firm, Trustwave Holdings Inc., from being held liable for its client's breach.

They're all PCI compliant, and they're all being breached.

Michael Scheidell,Managing Director, Security Privateers

In the lawsuit, which was filed on March 25 in Chicago's U.S. District Court by Houston-based Green Bank and New York-based Trustmark Bank, the Minneapolis-based retailer was blamed for the weeks-long data breach, which occurred during the 2013 holiday shopping period. The breach resulted in the theft of approximately 40 million credit and debit card numbers, as well as the personal information of 70 million customers.

Unusually, the banks also sought to pin liability on Trustwave, one of the most prominent PCI DSS compliance assessment firms in the industry, alleging that Target had contracted the company to perform a number of security services, including providing "round-the-clock monitoring services" for its systems and bringing the company into compliance with PCI DSS standards.

Specifically, the lawsuit alleged Trustwave had "told Target that there were no vulnerabilities in Target's computer systems" after performing a scan on Sept. 20, 2013, and ultimately accused the security vendor of failing to "meet industry standards" by not spotting the Target breach in a timely manner.

Trustwave last week repeatedly declined to comment on the suit, but over the weekend the company published a short statement from its CEO, Robert McCullen, on its website denying some of the allegations laid out in the legal filing.

"Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations," McCullen said in the statement. "Contrary to the misstated allegations in the plaintiffs' complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target's network, nor did Trustwave process cardholder data for Target."

Though unclear what impact Trustwave's statement had on the pending litigation, ChicagoBusiness.com, who first reported on the lawsuit, confirmed court documents indicated the filing has been dropped, though noted it was "dismissed without prejudice," opening the doors for the suit to be refiled in the future.

At the time of publishing, neither Trustmark Bank nor Green Bank responded to Search Security's requests for comment. A Trustwave spokesperson said the company had no further comments at this time.

Michael Scheidell, CCISO, Managing Director for Boca Raton, Fla.-based IT assessment firm Security Privateers, said the lawsuit's allegations had seemed a "little strange." He questioned whether pulling the filing meant the banks' sources behind the information on Trustwave's involvement in the Target breach were reliable.

Though Trustwave's McCullen pointedly denied a number of allegations in his statement, including monitoring Target's systems and processing any cardholder data, McCullen did not deny that Target was a Trustwave client, Scheidell noted, nor that the security vendor had performed at least one PCI assessment for the retailer. If Trustwave did perform an assessment, Scheidell found the possibility of the auditors not finding any vulnerabilities, as indicated in the lawsuit, to be absurd.

"I've been doing this 14 or 15 years, and I've never not found a vulnerability" during an assessment, Scheidell said. "There's always something somewhere -- whether it's small or big, whether it's hard to take advantage of or leads to a data breach, there [are] always vulnerabilities somewhere. So that is a ridiculous statement."

Scheidell said it was unlikely a company the size of Trustwave would purposely ignore problems discovered during an assessment in order to keep a client happy, though he warned auditors and other companies that perform security assessments to be careful when negotiating final reports with clients.

While Scheidell said he has rarely ran into problems with clients that commission assessments, on one occasion a customer did ask his firm to change its assessment results because it couldn't hand over the findings to the executive committee without being asked to fix some issues. In that case, he said the problem was that the customer was running software that could no longer receive updates, a problem many merchants with Windows XP-based systems will face next week when XP's end-of-life date comes to pass.

"There's always the temptation for auditors to make the report look better," Scheidell said, "so they get that business next year."

Enterprises also need to adjust their expectations for what an assessment can accomplish, Scheidell said, especially when a company is found to be compliant with PCI DSS or another regulatory standard. In particular, he noted that PCI auditors come in at scheduled times and that IT and security teams have become adept at giving the auditors what they want. He said being PCI-compliant, as Target reportedly was, does not mean the organization is secure.

"PCI compliance in itself does not mean you're not vulnerable," Scheidell said. "It just means you met the specific requirements for that snapshot; that point in time when auditors came in.